Smartcards and access controls

Version 1.1, 10 February 2023

This guidance is part of the Information governance and data protection section of the Good practice guidelines for GP electronic patient records.

Smartcards and role-based access control (RBAC)

Patients need to be confident that the information within their medical record is kept safe, secure, and confidential.

NHS staff and healthcare professionals who have a justified need to view personal and clinical information appropriate to their role are issued with an NHS smartcard which will allow them access to the appropriate level of patient information.

Smartcards are like chip and pin bank cards and are used in conjunction with a passcode known only to the smartcard holder, via a smartcard reader.  They provide secure and auditable access to NHS Spine-enabled health record systems such as Summary Care Record, Personal Demographics Service ,  Electronic Prescriptions Service, e-Referral Service, as well as general practice clinical systems.

Care identity service

The Care Identity Service (CIS) is an electronic system authorised and regulated by NHS Digital[1], to register, issue and control NHS smartcard access for more than 800,000 users.  Access is provided to an online portal for smartcard users and managers.  It provides a single location for all registration authority activities. 

CIS ensures that users of healthcare IT systems are provided with a national digital identity, with appropriate levels of access to the NHS care records service.  As CIS is an integrated application, it provides high levels of governance and auditability, and supports efficient ways of working.

You can find news and up top date service information in the Registration Authority user guides.

Issue of smartcards

The issue of NHS smartcards is governed by a locally based registration authority (RA) which supports primary care organisations to manage the issue and maintenance of smartcards via trained registration managers, or local smartcard administrators, based in primary care organisations.  These authorised staff have been trained to create identities and to grant and manage access for themselves and other users, according to the roles they hold within their organisation. 

It is best practice to have more than one staff member in each primary care organisation trained to manage smartcards.  These staff can have different levels of authority dependent on their role within the organisation.

Roles and responsibilities of RAs

The roles and responsibilities of registration authorities are defined by NHS registration authority policy.  

NHS Digital has published a list of registration authorities, for primary care, with contact details.

NHS smartcards will only be issued to individuals who have had their identity verified to national identity check standards by the registration manager or local administrator.   

Future developments will result in access via a smartcard being available virtually without the need for a smartcard reader.  There is a separate article on this subject entitled National Care Identity Service 2 (CIS2).

Passcodes

The combination of an NHS smartcard and a user’s unique passcode help to protect the security and confidentiality of every patient’s personal and healthcare information.

During the registration process, all users must read and accept the terms and conditions for the use of a personal smartcard before this can be issued.  Any breach of these terms and conditions should be linked to an organisation’s disciplinary measures.

The electronic chip in a smartcard stores the unique user identifier (UUID) within the NHS Spine directory, which holds the digital identity information for each smartcard user.  Each time a user logs into the NHS Spine using their personal passcode, their access is authenticated and they are presented with a list of active roles assigned to their smartcard.  

Role-based access control (RBAC)

Each NHS smartcard will have role-based access codes (RBAC) assigned which will allow the user to be electronically authenticated each time they view a patient record. This role will determine what each user can see and what they can do in a patient record.

Primary care staff who work across a primary care network (PCN), remotely or within a number of different practices should have the appropriate role-based access codes assigned to their smartcard for each individual practice.

Levels of access are restricted to essential data items or functions, as well as specific locations where the card may be used, based on the role of the user within that organisation.  This is known as position-based access control (PBAC).

Role-based access control (RBAC) is a way of ensuring that users are suitably authorised because:

  • users are assigned pre-defined roles, for example, as a general practitioner, receptionist, health care assistant, etc.
  • roles are linked to pre-defined activities, for example, general practitioners can view patients’ demographic details
  • users can have multiple roles, for example, a user might be both a general practitioner and a privacy officer
  • roles can be linked to multiple activities, for example, a general practitioner might be able to both view and amend patients’ demographic details

National RBAC database

NHS Digital owns and maintains a national database of roles and permissions for healthcare workers.  This is called the ‘national RBAC database’.

The database comprises:

  • job roles (‘R’ codes) the set of roles that can be assigned to users, for example Clinical practitioner (R8000)
  • activities (‘B’ codes) the set of activities that users can perform, for example Amend patient demographics (B0825)
  • baseline policy, the default mapping of roles to activities, for example a Clinical Practitioner can perform the Amend patient demographics activity

Security and confidentiality

All staff issued with an NHS smartcard have a duty to keep patient information secure and confidential at all times.  Any access to patient data is auditable and traceable back to the holder of a smartcard.  Smartcards should, therefore, be treated the same as a credit or debit card.  Passcodes should never be shared and should be kept safe and secure.

Smartcard holders must follow these simple rules:

  • Never allow anyone else to use your smartcard.
  • Never leave your smartcard unattended
  • Never leave your smartcard in a smartcard reader when you are not using it.
  • Always keep your smartcard in a safe and secure place when not in use.
  • Any lost, stolen or damaged smartcards must be reported immediately to the local RA team or local smartcard administrator.

All NHS staff, including RA personnel, should only ever have one NHS smartcard showing their UUID and photograph.   

If a smartcard is lost or misplaced, this must be reported to the Registration Authority via the appropriate channel.  A replacement smartcard can be issued but the original smartcard must be cancelled remotely.

Smartcard certificates

NHS smartcards contain expiry certificates which are time limited and must be renewed at least every two years according to the Public Key Infrastructure policy.

Individuals will see a pop up prompt when it is time for the certificate to be renewed and can renew their own smartcard certificates within a 90 day renewal period.  Users can renew their own smartcard certificate twice in succession but every third renewal must be completed by their local smartcard administrator as an additional security check.

The CIS takes users through the self-renewal process.

Once certificates have expired they will need to be renewed either by a local RA manager, local smartcard administrator or the IT service desk. 

Smartcard repairs

Smartcards which are damaged or do not permit the user to login to the NHS Spine may need to be repaired, using the repair card process.  This can be as a result of the smartcard certificate becoming corrupted or a problem when the card has been issued.

The card repair process removes all existing certificates assigned to the smartcard and reissues the certificates which require the user to set a new unique passcode. 

Repairs can be completed by RA staff or a local smartcard administrator, via the care identity service (CIS).

Smartcards usually become locked after a number of failed attempts to login with a personal passcode.  Locked smartcards can be unlocked by individuals without the need to contact RA staff or a local smartcard administrator. 

Staff leaving the organisation

NHS smartcards are a national token of identity and are not specific to any organisation.  Any staff who leave to work in another health and social care setting either now or in the future should retain their smartcard.

RA staff or local smartcard administrators should revoke access rights to an organisation from the date the holder leaves.

Staff who are leaving the NHS or healthcare permanently should have their smartcard cancelled or destroyed.

Other leavers

Other rules apply when staff are on extended leave:

  • Short-term leave up to 6 months | users should retain their smartcard. RA staff or local smartcard administrators should remove organisational access via CIS from the last working day and then reinstate appropriate access via CIS when the user returns from leave.
  • Extended leave of more than 6 months | users should retain their NHS smartcard. RA staff or local smartcard administrators should end organisational access via CIS.  If the user returns to the organisation after 6 months a new application for access should be made.
  • Parental leave | as long as the user intends to return to the organisation they should retain their NHS smartcard and organisational access should be removed if the absence is longer than 6 months.

Summary

  • NHS organisations acting as registration authorities use the Care Identity Service to issue and manage smartcards to authorised NHS staff.
  • A smartcard is used in a card reader with a unique passcode by staff authorised by their employer to access NHS Spine-enabled information systems.  Spine systems hold personal and clinical information relating to NHS patients. 
  • Audit and security features are embedded within smartcards and their use, to protect patient confidentiality.

Other helpful resources